CVE-2025-54386

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Traefik versions 2.11.27 and below Traefik versions 3.0.0 through 3.4.4 Traefik version 3.5.0-rc1

Description Traefik is an HTTP reverse proxy and load balancer. A path traversal vulnerability exists in the WASM Traefik’s plugin installation mechanism. Supplying a maliciously crafted ZIP archive containing file paths with ../ sequences allows an attacker to overwrite arbitrary files on the system outside of the intended plugin directory. This can lead to remote code execution (RCE), privilege escalation, persistence, or denial of service.

Recommendations Update to Traefik version 2.11.28 or later. Update to Traefik version 3.4.5 or later. Update to Traefik version 3.5.0 or later.

Exploit

Fix

RCE

DoS

LPE

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-30CWE-22

Related Identifiers

ALT-PU-2025-11948

CVE-2025-54386

ECHO-6F33-0C94-3AAA

GHSA-Q6GG-9F92-R9WG

GO-2025-3835

OPENSUSE-SU-2025:15434-1

OPENSUSE-SU-2026:10143-1

SUSE-SU-2025:02912-1

Affected Products

Alt Linux

Traefik

CVE-2025-54386

Weakness Enumeration

Related Identifiers

Affected Products

References · 58